[Bug 239977] Integer Overflow: ping(8) option "-G" and "-g", bypass the invalid sweepmax and sweepmin packet size check
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Aug 19 23:06:24 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239977
Bug ID: 239977
Summary: Integer Overflow: ping(8) option "-G" and "-g", bypass
the invalid sweepmax and sweepmin packet size check
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: bin
Assignee: bugs at FreeBSD.org
Reporter: neerajpal09 at gmail.com
Integer Overflow is observed in ping(8) command line option "-G" and option
"-g".
* sbin/ping/ping.c:350 (-G) and sbin/ping/ping.c:364 (-g)
** "sweepmax = ltmp;" & "sweepmin = ltmp;" <= storing long value to int
variable
providing option "-G" with value 4294967297 and "-g" with 4294967292, will
bypass the check at sbin/ping/ping.c:339 and at sbin/ping/ping.c:354 and will
try to send packet with illegal range like (-4 ... 1) data bytes
[Steps to reproduce]
* root at freebsd:/usr/src/sbin/ping # ping -G 5 -g -1 localhost
ping: invalid packet size: `-1'
* root at freebsd:/usr/src/sbin/ping # ping -G 4294967297 -g 4294967292 localhost
PING localhost (127.0.0.1): (-4 ... 1) data bytes
8 bytes from 127.0.0.1: icmp_seq=4 ttl=64
9 bytes from 127.0.0.1: icmp_seq=5 ttl=64
--- localhost ping statistics ---
6 packets transmitted, 2 packets received, 66.7% packet loss
[Impact]
Bypass the check for invalid packet size and will try to send packet with
illegal sweepmax and sweepmin size properties.
Note: root privilege is required.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list